Merged C2C Security Branch + Improvements

Security By Default on Objects bzr revid: fp@tinyerp.com-20080902213144-d95924bxmq8o3i0p
2008-09-02 23:31:44 +02:00 · 2008-09-02 23:31:44 +02:00 · 853b858a6c
parent dead36578f a5e4d2b9e6
commit 853b858a6c
17 changed files with 494 additions and 749 deletions
--- a/bin/addons/base/terp.py
+++ b/bin/addons/base/terp.py
@ -2,6 +2,7 @@
 ##############################################################################
 #
 # Copyright (c) 2004-2008 Tiny SPRL (http://tiny.be) All Rights Reserved.
+# Copyright (c) 2008 Camptocamp SA
 #
 # $Id$
 #
@ -37,6 +38,8 @@
    "init_xml" : [
        "base_data.xml",
        "base_menu.xml",
+        "base_security.xml",
+        "res/res_security.xml",
    ],
    "demo_xml" : [
        "base_demo.xml",
@ -44,6 +47,7 @@
        "res/partner/crm_demo.xml",
    ],
    "update_xml" : [
+        "ir.model.access.csv",
        "base_update.xml",
        "ir/wizard/wizard_menu_view.xml",
        "ir/ir.xml",
@ -68,6 +72,3 @@
    "active": True,
    "installable": True,
 }
-
-# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
-
--- a/bin/addons/base/base.sql
+++ b/bin/addons/base/base.sql
@ -148,9 +148,6 @@ CREATE TABLE res_users (
 );
 alter table res_users add constraint res_users_login_uniq unique (login);

-insert into res_users (id,login,password,name,action_id,active) values (1,'root',NULL,'Root',NULL,False);
-select setval('res_users_id_seq', 2);
-
 CREATE TABLE res_groups (
    id serial NOT NULL,
    name varchar(32) NOT NULL,
@ -328,4 +325,9 @@ CREATE TABLE ir_model_data (
    res_id integer, primary key(id)
 );

-
+---------------------------------
+-- Users
+---------------------------------
+insert into res_users (id,login,password,name,action_id,active) values (1,'root','root','Root',NULL,True);
+insert into ir_model_data (name,module,model,noupdate,res_id) values ('user_root','base','res.users',True,1);
+select setval('res_users_id_seq', 2);
--- a/bin/addons/base/base_data.xml
+++ b/bin/addons/base/base_data.xml
@ -23,17 +23,6 @@
            <field eval="'[(\'parent_id\',\'=\',False)]'" name="domain"/>
        </record>
        
-        <record id="group_admin" model="res.groups">
-            <field name="name">Administration/Administrator</field>
-        </record>
-        
-        <record id="group_extended" model="res.groups">
-            <field name="name">Extended View</field>
-        </record>
-        <record id="group_no_one" model="res.groups">
-            <field name="name">No One</field>
-        </record>
-        
        <record id="lang_en" model="res.lang">
            <field name="code">en_US</field>
 			<field name="name">English</field>
@ -1309,7 +1298,7 @@
            <field name="accuracy">4</field>
        </record>
        <record id="rateVEB" model="res.currency.rate">
-            <field name="rate">1.0</field>
+            <field name="rate">3132.9</field>
            <field name="currency_id" ref="VEB"/>
            <field eval="time.strftime('%Y-01-01')" name="name"/>
        </record>
@ -1498,17 +1487,5 @@
            <test expr="currency_id.code == 'eur'.upper()"/>
            <test expr="name">Tiny sprl</test>
        </assert>
-        
-        <record id="user_admin" model="res.users">
-            <field name="login">admin</field>
-            <field name="password">admin</field>
-            <field name="name">Administrator</field>
-            <field name="signature">Administrator</field>
-            <field name="action_id" ref="action_menu_admin"/>
-            <field name="menu_id" ref="action_menu_admin"/>
-            <field name="address_id" ref="main_address"/>
-            <field eval="[(6,0,[group_admin])]" name="groups_id"/>
-            <field name="company_id" ref="main_company"/>
-        </record>
    </data>
 </terp>
--- a/bin/addons/base/base_demo.xml
+++ b/bin/addons/base/base_demo.xml
@ -10,7 +10,7 @@
            <field name="menu_id" ref="action_menu_admin"/>
            <field name="address_id" ref="main_address"/>
            <field name="company_id" ref="main_company"/>
+            <field name="groups_id" eval="('base.group_user')"/> 
        </record>
-        
    </data>
-</terp>
+</terp>
--- a/bin/addons/base/base_menu.xml
+++ b/bin/addons/base/base_menu.xml
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <terp>
    <data>
-        <menuitem groups="group_admin" icon="terp-administration" id="menu_administration" name="Administration" sequence="20"/>
+        <menuitem icon="terp-administration" id="menu_administration" name="Administration" sequence="20"/>
        <menuitem id="menu_custom" name="Custom" parent="base.menu_administration" sequence="2"/>
        <menuitem id="menu_translation" name="Translations" parent="base.menu_administration" sequence="4"/>
        <menuitem id="menu_translation_app" name="Application Terms" parent="base.menu_translation" sequence="4"/>
@ -9,7 +9,5 @@
        <menuitem id="menu_users" name="Users" parent="base.menu_administration" sequence="6"/>
        <menuitem id="menu_security" name="Security" parent="base.menu_administration" sequence="8"/>
        <menuitem id="menu_management" name="Modules Management" parent="base.menu_administration" sequence="10"/>
-        
-        
    </data>
 </terp>
--- a/bin/addons/base/base_security.xml
+++ b/bin/addons/base/base_security.xml
@ -1,662 +1,168 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0"?>
 <terp>
-    <data noupdate="1">
-        <record id="access_ui_menu" model="ir.model.access">
-            <field name="name">UI menu</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.ui.menu')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_ui_menu_admin" model="ir.model.access">
-            <field name="name">UI menu</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.ui.menu')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_act_window" model="ir.model.access">
-            <field name="name">Act window</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.act_window')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_act_window_admin" model="ir.model.access">
-            <field name="name">Act window</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.act_window')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_actions" model="ir.model.access">
-            <field name="name">Actions</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.actions')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_actions_admin" model="ir.model.access">
-            <field name="name">Actions</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.actions')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_actions_report_custom" model="ir.model.access">
-            <field name="name">Actions Report Custom</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.report.custom')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_actions_report_custom_admin" model="ir.model.access">
-            <field name="name">Actions Report Custom</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.report.custom')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_actions_report_xml" model="ir.model.access">
-            <field name="name">Actions Report XML</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.report.xml')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_actions_report_xml_admin" model="ir.model.access">
-            <field name="name">Actions Report XML</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.report.xml')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_actions_act_window_view" model="ir.model.access">
-            <field name="name">Actions Act Window view</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.act_window.view')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_actions_act_window_view_admin" model="ir.model.access">
-            <field name="name">Actions Act Window view</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.act_window.view')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_actions_wizard" model="ir.model.access">
-            <field name="name">Actions Wizard</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.wizard')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_actions_wizard_admin" model="ir.model.access">
-            <field name="name">Actions Wizard</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.wizard')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_actions_url" model="ir.model.access">
-            <field name="name">Actions URL</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.url')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_actions_url_admin" model="ir.model.access">
-            <field name="name">Actions URL</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.url')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_groups" model="ir.model.access">
-            <field name="name">Groups</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.groups')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_groups_admin" model="ir.model.access">
-            <field name="name">Groups</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.groups')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_roles" model="ir.model.access">
-            <field name="name">Roles</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.roles')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_roles_admin" model="ir.model.access">
-            <field name="name">Roles</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.roles')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_lang" model="ir.model.access">
-            <field name="name">Lang</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.lang')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_lang_admin" model="ir.model.access">
-            <field name="name">Lang</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.lang')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_country" model="ir.model.access">
-            <field name="name">Country</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.country')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_country_admin" model="ir.model.access">
-            <field name="name">Country</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.country')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_country_state" model="ir.model.access">
-            <field name="name">Country State</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.country.state')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_country_state_admin" model="ir.model.access">
-            <field name="name">Country State</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.country.state')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_currency" model="ir.model.access">
-            <field name="name">Currency</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.currency')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_currency_admin" model="ir.model.access">
-            <field name="name">Currency</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.currency')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_currency_rate" model="ir.model.access">
-            <field name="name">Currency Rate</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.currency.rate')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_currency_rate_admin" model="ir.model.access">
-            <field name="name">Currency Rate</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.currency.rate')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_company" model="ir.model.access">
-            <field name="name">Company</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.company')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_company_admin" model="ir.model.access">
-            <field name="name">Company</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.company')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_res_users" model="ir.model.access">
-            <field name="name">Users</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.users')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_res_users_admin" model="ir.model.access">
-            <field name="name">Users</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.users')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_cron" model="ir.model.access">
-            <field name="name">Cron</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.cron')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_cron_admin" model="ir.model.access">
-            <field name="name">Cron</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.cron')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_model" model="ir.model.access">
-            <field name="name">Model</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_model_admin" model="ir.model.access">
-            <field name="name">Model</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_model_fields" model="ir.model.access">
-            <field name="name">Model Fields</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model.fields')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_model_fields_admin" model="ir.model.access">
-            <field name="name">Model Fields</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model.fields')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_model_access" model="ir.model.access">
-            <field name="name">Model Access</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model.access')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_model_access_admin" model="ir.model.access">
-            <field name="name">Model Access</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model.access')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_model_data" model="ir.model.access">
-            <field name="name">Model Data</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model.data')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_model_data_admin" model="ir.model.access">
-            <field name="name">Model Data</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.model.data')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_report_custom" model="ir.model.access">
-            <field name="name">Report Custom</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.report.custom')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_report_custom_admin" model="ir.model.access">
-            <field name="name">Report Custom</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.report.custom')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_report_custom_fields" model="ir.model.access">
-            <field name="name">Report Custom Fields</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.report.custom.fields')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_report_custom_fields_admin" model="ir.model.access">
-            <field name="name">Report Custom Fields</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.report.custom.fields')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_rule_group" model="ir.model.access">
-            <field name="name">Rule group</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.rule.group')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_rule_group_admin" model="ir.model.access">
-            <field name="name">Rule group</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.rule.group')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_rule" model="ir.model.access">
-            <field name="name">Rule</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.rule')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_rule_admin" model="ir.model.access">
-            <field name="name">Rule</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.rule')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_sequence_type" model="ir.model.access">
-            <field name="name">Sequence Type</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.sequence.type')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_sequence_type_admin" model="ir.model.access">
-            <field name="name">Sequence Type</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.sequence.type')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_sequence" model="ir.model.access">
-            <field name="name">Sequence</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.sequence')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_sequence_admin" model="ir.model.access">
-            <field name="name">Sequence</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.sequence')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_view" model="ir.model.access">
-            <field name="name">View</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.ui.view')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_view_admin" model="ir.model.access">
-            <field name="name">View</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.ui.view')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_workflow" model="ir.model.access">
-            <field name="name">Workflow</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'workflow')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_workflow_admin" model="ir.model.access">
-            <field name="name">Workflow</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'workflow')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_workflow_activity" model="ir.model.access">
-            <field name="name">Workflow Activity</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'workflow.activity')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_workflow_activity_admin" model="ir.model.access">
-            <field name="name">Workflow Activity</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'workflow.activity')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_workflow_transition" model="ir.model.access">
-            <field name="name">Workflow Transition</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'workflow.transition')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_workflow_transition_admin" model="ir.model.access">
-            <field name="name">Workflow Transition</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'workflow.transition')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_module_repository" model="ir.model.access">
-            <field name="name">Module Repository</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.repository')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_module_repository_admin" model="ir.model.access">
-            <field name="name">Module Repository</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.repository')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_module_category" model="ir.model.access">
-            <field name="name">Module Category</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.category')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_module_category_admin" model="ir.model.access">
-            <field name="name">Module Category</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.category')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_module_module" model="ir.model.access">
-            <field name="name">Module</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.module')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_module_module_admin" model="ir.model.access">
-            <field name="name">Module</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.module')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_module_dependency" model="ir.model.access">
-            <field name="name">Module Dependency</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.module.dependency')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="False" name="perm_write"/>
-            <field eval="False" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-        <record id="access_module_dependency_admin" model="ir.model.access">
-            <field name="name">Module Dependency</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'ir.module.module.dependency')]"/>
-            <field name="group_id" ref="group_admin"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="True" name="perm_unlink"/>
-        </record>
-        
-        <record id="access_ui_menu" model="ir.model.access">
-            <field name="name">Internal Request</field>
-            <field model="ir.model" name="model_id" search="[('model', '=', 'res.request')]"/>
-            <field eval="True" name="perm_read"/>
-            <field eval="True" name="perm_write"/>
-            <field eval="True" name="perm_create"/>
-            <field eval="False" name="perm_unlink"/>
-        </record>
-    </data>
-</terp>
+<data noupdate="1">
+
+<!--
+ Users Groups
+-->
+    <record model="res.groups" id="group_system">
+        <field name="name">System</field>
+    </record>
+    
+    <record model="res.groups" id="group_erp_manager">
+        <field name="name">ERP Manager</field>
+    </record>
+    
+    <record model="res.groups" id="group_user">
+        <field name="name">Employee</field>
+    </record>
+
+    <record model="res.groups" id="group_account_manager">
+        <field name="name">Account Manager</field>
+    </record>
+
+    <record model="res.groups" id="group_request">
+        <field name="name">Request</field>
+    </record>
+
+    <record model="res.groups" id="group_cron">
+        <field name="name">Cron Jobs</field>
+    </record>
+    
+    <record model="res.groups" id="group_extended">
+        <field name="name">Extended View</field>
+    </record>
+    
+    <record model="res.groups" id="group_no_one">
+        <field name="name">No One</field>
+    </record>
+
+<!--
+ Users
+-->
+    <record model="res.users" id="base.user_root">
+        <field name="signature">Administrator</field>
+        <field name="address_id" ref="main_address"/>
+        <field name="company_id" ref="main_company"/>
+        <field name="action_id" ref="action_menu_admin"/>
+        <field name="menu_id" ref="action_menu_admin"/>
+    </record>
+
+<!--
+ Access
+-->
+
+<!--Don't remove after-->
+    <record model="ir.model.access" id="access_ir_actions_employee">
+        <field name="name">ir.actions.actions Employee</field>
+        <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.actions')]"/>
+        <field name="group_id" ref="group_user"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+    
+    <record model="ir.model.access" id="access_ir_actions_act_window_employee">
+        <field name="name">ir.actions.act_window Employee</field>
+        <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.act_window')]"/>
+        <field name="group_id" ref="group_user"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+    
+    <record model="ir.model.access" id="access_ir_actions_act_window_employee">
+        <field name="name">ir.actions.act_window_close System</field>
+        <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.act_window_close')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+    
+    <record model="ir.model.access" id="access_ir_actions_act_window_employee">
+        <field name="name">ir.actions.act_window_close System</field>
+        <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.report.xml')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+    
+    <record model="ir.model.access" id="access_ir_actions_act_window_employee">
+        <field name="name">ir.actions.act_window_close System</field>
+        <field model="ir.model" name="model_id" search="[('model', '=', 'ir.actions.wizard')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+    
+    <record model="ir.model.access" id="access_workflow_group_system">
+        <field name="name">workflow group_system</field>
+        <field name="model_id" model="ir.model" search="[('model', '=', 'workflow')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+
+    <record model="ir.model.access" id="access_workflow_activity_group_system">
+        <field name="name">workflow_activity group_system</field>
+        <field name="model_id" model="ir.model" search="[('model', '=', 'workflow.activity')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+
+    <record model="ir.model.access" id="access_workflow_instance_group_system">
+        <field name="name">workflow_instance group_system</field>
+        <field name="model_id" model="ir.model" search="[('model', '=', 'workflow.instance')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+
+    <record model="ir.model.access" id="access_workflow_transition_group_system">
+        <field name="name">workflow_transition group_system</field>
+        <field name="model_id" model="ir.model" search="[('model', '=', 'workflow.transition')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+
+    <record model="ir.model.access" id="access_workflow_triggers_group_system">
+        <field name="name">workflow_triggers group_system</field>
+        <field name="model_id" model="ir.model" search="[('model', '=', 'workflow.triggers')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+
+    <record model="ir.model.access" id="access_workflow_workitem_group_system">
+        <field name="name">workflow_workitem group_system</field>
+        <field name="model_id" model="ir.model" search="[('model', '=', 'workflow.workitem')]"/>
+        <field name="group_id" ref="group_system"/>
+        <field name="perm_read" eval="1"/>
+        <field name="perm_write" eval="0"/>
+        <field name="perm_create" eval="0"/>
+        <field name="perm_unlink" eval="0"/>
+    </record>
+<!--Don't remove before-->
+
+</data>
+</terp>
--- a/bin/addons/base/base_update.xml
+++ b/bin/addons/base/base_update.xml
@ -29,6 +29,14 @@
                        </page>
                        <page string="Access Rights">
                            <field colspan="4" name="model_access" nolabel="1">
+                                <tree string="Access Rules" editable="top">
+                                    <field name="model_id"/>
+                                    <field name="perm_read"/>
+                                    <field name="perm_write"/>
+                                    <field name="perm_create"/>
+                                    <field name="perm_unlink"/>
+                                    <field name="name"/>
+                                </tree>
                                <form string="Access Controls">
                                    <field colspan="4" name="name" select="1"/>
                                    <field name="model_id" select="1"/>
@ -40,8 +48,17 @@
                                </form>
                            </field>
                        </page>
+                        <page string="Menus">
+                            <field colspan="4" name="menu_access"/>
+                        </page>
                        <page string="Rules">
-                            <field colspan="4" name="rule_groups" nolabel="1"/>
+                            <field colspan="4" name="rule_groups" nolabel="1">
+                                <tree string="Rules">
+                                    <field name="name"/>
+                                    <field name="model_id"/>
+                                    <field name="global"/>
+                                </tree>
+                            </field>
                        </page><page string="Notes">
                            <field colspan="4" name="comment" nolabel="1"/>
                        </page>
--- a/bin/addons/base/ir.model.access.csv
+++ b/bin/addons/base/ir.model.access.csv
@ -0,0 +1,73 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_ir_attachment_group_system,ir_attachment group_system,model_ir_attachment,group_system,1,0,0,0
+access_ir_cron_group_cron,ir_cron group_cron,model_ir_cron,group_cron,1,1,1,1
+access_ir_default_group_system,ir_default group_system,model_ir_default,group_system,1,0,0,0
+access_ir_exports_group_system,ir_exports group_system,model_ir_exports,group_system,1,0,0,0
+access_ir_exports_line_group_system,ir_exports_line group_system,model_ir_exports_line,group_system,1,0,0,0
+access_ir_model_group_system,ir_model group_system,model_ir_model,group_system,1,0,0,0
+access_ir_model_access_group_system,ir_model_access group_system,model_ir_model_access,group_system,1,0,0,0
+access_ir_model_config_group_system,ir_model_config group_system,model_ir_model_config,group_system,1,0,0,0
+access_ir_model_data_group_user,ir_model_data group_user,model_ir_model_data,group_user,1,1,0,0
+access_ir_model_fields_group_user,ir_model_fields group_user,model_ir_model_fields,group_user,1,1,0,0
+access_ir_module_category_group_user,ir_module_category group_user,model_ir_module_category,group_user,1,1,0,0
+access_ir_module_module_group_user,ir_module_module group_user,model_ir_module_module,group_user,1,1,0,0
+access_ir_module_module_configuration_step_group_system,ir_module_module_configuration_step group_system,model_ir_module_module_configuration_step,group_system,1,0,0,0
+access_ir_module_module_configuration_wizard_group_system,ir_module_module_configuration_wizard group_system,model_ir_module_module_configuration_wizard,group_system,1,0,0,0
+access_ir_module_module_dependency_group_system,ir_module_module_dependency group_system,model_ir_module_module_dependency,group_system,1,0,0,0
+access_ir_module_repository_group_system,ir_module_repository group_system,model_ir_module_repository,group_system,1,0,0,0
+access_ir_property_group_user,ir_property group_user,model_ir_property,group_user,1,0,0,0
+access_ir_report_custom_group_system,ir_report_custom group_system,model_ir_report_custom,group_system,1,0,0,0
+access_ir_report_custom_fields_group_system,ir_report_custom_fields group_system,model_ir_report_custom_fields,group_system,1,0,0,0
+access_ir_rule_group_user,ir_rule group_user,model_ir_rule,group_user,1,0,0,0
+access_ir_rule_group_group_user,ir_rule_group group_user,model_ir_rule_group,group_user,1,0,0,0
+access_ir_sequence_group_user,ir_sequence group_user,model_ir_sequence,group_user,1,0,0,0
+access_ir_sequence_type_group_user,ir_sequence_type group_user,model_ir_sequence_type,group_user,1,0,0,0
+access_ir_translation_group_system,ir_translation group_system,model_ir_translation,group_system,1,0,0,0
+access_ir_ui_menu_group_user,ir_ui_menu group_user,model_ir_ui_menu,group_user,1,0,0,0
+access_ir_ui_view_group_user,ir_ui_view group_user,model_ir_ui_view,group_user,1,0,0,0
+access_ir_ui_view_sc_group_user,ir_ui_view_sc group_user,model_ir_ui_view_sc,group_user,1,1,0,0
+access_ir_values_group_erp_manager,ir_values group_erp_manager,model_ir_values,group_erp_manager,0,1,0,0
+access_ir_values_group_user,ir_values group_user,model_ir_values,group_user,1,0,0,0
+access_wizard_ir_model_menu_create_group_system,wizard_ir_model_menu_create group_system,model_wizard_ir_model_menu_create,group_system,1,0,0,0
+access_wizard_ir_model_menu_create_line_group_system,wizard_ir_model_menu_create_line group_system,model_wizard_ir_model_menu_create_line,group_system,1,0,0,0
+access_wizard_module_lang_export_group_system,wizard_module_lang_export group_system,model_wizard_module_lang_export,group_system,1,0,0,0
+access_res_company_group_erp_manager,res_company group_erp_manager,model_res_company,group_erp_manager,1,1,1,1
+access_res_company_group_user,res_company group_user,model_res_company,group_user,1,0,0,0
+access_res_country_group_user,res_country group_user,model_res_country,group_user,1,0,0,0
+access_res_country_state_group_user,res_country_state group_user,model_res_country_state,group_user,1,0,0,0
+access_res_currency_group_user,res_currency group_user,model_res_currency,group_user,1,0,0,0
+access_res_currency_rate_group_account_manager,res_currency_rate group_account_manager,model_res_currency_rate,group_account_manager,1,1,1,1
+access_res_currency_rate_group_user,res_currency_rate group_user,model_res_currency_rate,group_user,1,0,0,0
+access_res_groups_group_erp_manager,res_groups group_erp_manager,model_res_groups,group_erp_manager,1,1,1,1
+access_res_groups_group_user,res_groups group_user,model_res_groups,group_user,1,0,0,0
+access_res_lang_group_user,res_lang group_user,model_res_lang,group_user,1,0,0,0
+access_res_partner_group_partner_manager,res_partner group_partner_manager,model_res_partner,group_partner_manager,0,0,0,1
+access_res_partner_group_user,res_partner group_user,model_res_partner,group_user,1,1,1,0
+access_res_partner_address_group_partner_manager,res_partner_address group_partner_manager,model_res_partner_address,group_partner_manager,0,0,0,1
+access_res_partner_address_group_user,res_partner_address group_user,model_res_partner_address,group_user,1,1,1,0
+access_res_partner_bank_group_user,res_partner_bank group_user,model_res_partner_bank,group_user,1,1,1,0
+access_res_partner_bank_group_partner_manager,res_partner_bank group_partner_manager,model_res_partner_bank,group_partner_manager,0,0,0,1
+access_res_partner_bank_type_group_partner_manager,res_partner_bank_type group_partner_manager,model_res_partner_bank_type,group_partner_manager,0,0,0,1
+access_res_partner_bank_type_group_user,res_partner_bank_type group_user,model_res_partner_bank_type,group_user,1,1,1,0
+access_res_partner_bank_type_field_group_partner_manager,res_partner_bank_type_field group_partner_manager,model_res_partner_bank_type_field,group_partner_manager,0,0,0,1
+access_res_partner_bank_type_field_group_user,res_partner_bank_type_field group_user,model_res_partner_bank_type_field,group_user,1,1,1,0
+access_res_partner_canal_group_user,res_partner_canal group_user,model_res_partner_canal,group_user,1,1,1,0
+access_res_partner_canal_group_partner_manager,res_partner_canal group_partner_manager,model_res_partner_canal,group_partner_manager,0,0,0,1
+access_res_partner_category_group_user,res_partner_category group_user,model_res_partner_category,group_user,1,1,1,0
+access_res_partner_category_group_partner_manager,res_partner_category group_partner_manager,model_res_partner_category,group_partner_manager,0,0,0,1
+access_res_partner_event_group_partner_manager,res_partner_event group_partner_manager,model_res_partner_event,group_partner_manager,0,0,0,1
+access_res_partner_event_group_user,res_partner_event group_user,model_res_partner_event,group_user,1,1,1,0
+access_res_partner_event_type_group_partner_manager,res_partner_event_type group_partner_manager,model_res_partner_event_type,group_partner_manager,0,0,0,1
+access_res_partner_event_type_group_user,res_partner_event_type group_user,model_res_partner_event_type,group_user,1,1,1,0
+access_res_partner_function_group_user,res_partner_function group_user,model_res_partner_function,group_user,1,1,1,0
+access_res_partner_function_group_partner_manager,res_partner_function group_partner_manager,model_res_partner_function,group_partner_manager,0,0,0,1
+access_res_partner_som_group_user,res_partner_som group_user,model_res_partner_som,group_user,1,1,1,0
+access_res_partner_som_group_partner_manager,res_partner_som group_partner_manager,model_res_partner_som,group_partner_manager,0,0,0,1
+access_res_partner_title_group_user,res_partner_title group_user,model_res_partner_title,group_user,1,1,1,0
+access_res_partner_title_group_partner_manager,res_partner_title group_partner_manager,model_res_partner_title,group_partner_manager,0,0,0,1
+access_res_request_group_user,res_request group_user,model_res_request,group_user,1,0,0,0
+access_res_request_group_request,res_request group_request,model_res_request,group_request,1,1,1,1
+access_res_request_history_group_user,res_request_history group_user,model_res_request_history,group_user,1,0,0,0
+access_res_request_link_group_user,res_request_link group_user,model_res_request_link,group_user,1,0,0,0
+access_res_users_group_user,res_users group_user,model_res_users,group_user,1,1,0,0
+access_res_users_group_erp_manager,res_users group_erp_manager,model_res_users,group_erp_manager,1,1,1,1
--- a/bin/addons/base/ir/ir.xml
+++ b/bin/addons/base/ir/ir.xml
@ -965,15 +965,16 @@
            </field>
        </record>
        <record id="ir_access_act" model="ir.actions.act_window">
-            <field name="name">Access controls</field>
+            <field name="name">Access controls List</field>
            <field name="res_model">ir.model.access</field>
            <field name="view_type">form</field>
            <field name="view_id" ref="ir_access_view_tree"/>
        </record>
-        <menuitem action="ir_access_act" id="menu_ir_access_act" parent="base.menu_security"/>
+        <menuitem name="Access Conrols" id="menu_security_access" parent="menu_security"/>
+        <menuitem action="ir_access_act" id="menu_ir_access_act" parent="menu_security_access"/>

        <!-- Rules -->
-        
+
        <record id="view_rule_group_form" model="ir.ui.view">
            <field name="name">Record rules</field>
            <field name="model">ir.rule.group</field>
@ -1147,8 +1148,8 @@
            <field name="context">{'key':'server_action'}</field>
        </record>
        <menuitem action="action_server_action" id="menu_server_action" parent="base.next_id_6"/>
-		
-		<record id="view_model_fields_tree" model="ir.ui.view">
+
+        <record id="view_model_fields_tree" model="ir.ui.view">
            <field name="name">ir.model.fields.tree</field>
            <field name="model">ir.model.fields</field>
            <field name="type">tree</field>
@ -1161,5 +1162,42 @@
                </tree>
            </field>
        </record>
+
+
+        <record id="ir_access_view_form" model="ir.ui.view">
+            <field name="name">ir.model.access.form</field>
+            <field name="model">ir.model.access</field>
+            <field name="type">form</field>
+            <field name="arch" type="xml">
+                <form string="Access controls">
+                    <field colspan="4" name="name" select="1"/>
+                    <field name="model_id" select="1"/>
+                    <field name="group_id" select="1"/>
+                    <newline/>
+                    <field name="perm_read"/>
+                    <field name="perm_write"/>
+                    <field name="perm_create"/>
+                    <field name="perm_unlink"/>
+                </form>
+            </field>
+        </record>
+        <record id="ir_access_act" model="ir.actions.act_window">
+            <field name="name">Access controls List</field>
+            <field name="res_model">ir.model.access</field>
+            <field name="view_type">form</field>
+            <field name="view_id" ref="ir_access_view_tree"/>
+        </record>
+        <menuitem name="Access Conrols" id="menu_security_access" parent="menu_security"/>
+        <menuitem action="ir_access_act" id="menu_ir_access_act" parent="menu_security_access"/>
+
+
+        <record model="ir.actions.act_window" id="action_model_grid_security">
+            <field name="name">Access Controls Grid</field>
+            <field name="res_model">ir.model.grid</field>
+            <field name="view_type">form</field>
+            <field name="view_mode">tree,form</field>
+        </record>
+        <menuitem action="action_model_grid_security" id="menu_ir_access_grid" parent="menu_security_access"/>
+
    </data>
 </terp>
--- a/bin/addons/base/ir/ir_model.py
+++ b/bin/addons/base/ir/ir_model.py
@ -1,7 +1,7 @@
-# -*- encoding: utf-8 -*-
 ##############################################################################
 #
 # Copyright (c) 2004-2008 TINY SPRL. (http://tiny.be) All Rights Reserved.
+# Copyright (c) 2008 Camptocamp SA
 #
 # $Id$
 #
@ -50,13 +50,13 @@ class ir_model(osv.osv):
        'model': fields.char('Object Name', size=64, required=True, search=1),
        'info': fields.text('Information'),
        'field_id': fields.one2many('ir.model.fields', 'model_id', 'Fields', required=True),
-        'state': fields.selection([('manual','Custom Object'),('base','Base Field')],'Manualy Created',readonly=1),
+        'state': fields.selection([('manual','Custom Object'),('base','Base Object')],'Manualy Created',readonly=1),
+        'access': fields.one2many('ir.model.access', 'model_id', 'Access'),
    }
    _defaults = {
        'model': lambda *a: 'x_',
        'state': lambda self,cr,uid,ctx={}: (ctx and ctx.get('manual',False)) and 'manual' or 'base',
    }
-    
    def _check_model_name(self, cr, uid, ids):
        for model in self.browse(cr, uid, ids):
            if model.state=='manual':
@ -97,6 +97,97 @@ class ir_model(osv.osv):
            x_custom_model._rec_name = x_custom_model._columns.keys()[0]
 ir_model()

+
+class ir_model_grid(osv.osv):
+    _name = 'ir.model.grid'
+    _table = 'ir_model'
+    _description = "Objects Security Grid"
+    _rec_name = 'name'
+    _columns = {
+        'name': fields.char('Object', size=64),
+        'model': fields.char('Object Name', size=64),
+    }
+
+    def create(self, cr, uid, vals, context=None):
+        raise osv.except_osv('Error !', 'You cannot add an entry to this view !')
+
+    def unlink(self, *args, **argv):
+        raise osv.except_osv('Error !', 'You cannot add an entry to this view !')
+    
+    def read(self, cr, uid, ids, fields=None, context=None, load='_classic_read'):
+        result = super(osv.osv, self).read(cr, uid, ids, fields, context, load)        
+        allgr = self.pool.get('res.groups').search(cr, uid, [], context=context)
+        acc_obj = self.pool.get('ir.model.access')
+        for res in result:
+            rules = acc_obj.search(cr, uid, [('model_id', '=', res['id'])])
+            rules_br = acc_obj.browse(cr, uid, rules, context=context)
+            for g in allgr:
+                res['group_'+str(g)] = ''
+            for rule in rules_br:
+                perm_list = []
+                if rule.perm_read:
+                    perm_list.append('r')
+                if rule.perm_write:
+                    perm_list.append('w')
+                if rule.perm_create:
+                    perm_list.append('c')
+                if rule.perm_unlink:
+                    perm_list.append('u')
+                perms = ",".join(perm_list)
+                res['group_%i'%rule.group_id.id] = perms
+        return result
+
+    #
+    # This function do not write fields from ir.model because
+    # access rights may be different for managing models and
+    # access rights
+    #
+    def write(self, cr, uid, ids, vals, context=None):
+        vals_new = vals.copy()
+        acc_obj = self.pool.get('ir.model.access')
+        for grid in self.browse(cr, uid, ids, context=context):
+            model_id = grid.id
+            perms_rel = ['read','write','create','unlink']
+            for val in vals:
+                if not val[:6]=='group_':
+                    continue
+                group_id = int(val[6:])
+                rules = acc_obj.search(cr, uid, [('model_id', '=', model_id),('group_id', '=', group_id)])
+                if not rules:
+                    rules = [acc_obj.create(cr, uid, {
+                        'name': grid.name,
+                        'model_id':model_id,
+                        'group_id':group_id
+                    }) ]
+                vals = dict(map(lambda x: ('perm_'+x, x[0] in (vals[val] or '')), perms_rel))
+                acc_obj.write(cr, uid, rules, vals, context=context)
+        return True
+
+    def fields_get(self, cr, uid, fields=None, context=None, read_access=True):
+        result = super(ir_model_grid, self).fields_get(cr, uid, fields, context)
+        groups = self.pool.get('res.groups').search(cr, uid, [])
+        groups_br = self.pool.get('res.groups').browse(cr, uid, groups)
+        for group in groups_br:
+            result['group_%i'%group.id] = {'string': '%s'%group.name,'type': 'char','size': 7}
+        return result
+
+    def fields_view_get(self, cr, uid, view_id=None, view_type='form', context={}, toolbar=False):
+        result = super(ir_model_grid, self).fields_view_get(cr, uid, view_id, view_type, context=context, toolbar=toolbar)
+        groups = self.pool.get('res.groups').search(cr, uid, [])
+        groups_br = self.pool.get('res.groups').browse(cr, uid, groups)
+        cols = ['model', 'name']
+        xml = '''<?xml version="1.0"?>
+<%s editable="bottom">
+    <field name="name" select="1" readonly="1"/>
+    <field name="model" select="1" readonly="1"/>''' % (view_type,)
+        for group in groups_br:
+            xml += '''<field name="group_%i" sum="%s"/>''' % (group.id, group.name)
+        xml += '''</%s>''' % (view_type,)
+        result['arch'] = xml
+        result['fields'] = self.fields_get(cr, uid, cols, context)
+        return result
+ir_model_grid()
+
 class ir_model_fields(osv.osv):
    _name = 'ir.model.fields'
    _description = "Fields"
@ -176,7 +267,7 @@ class ir_model_access(osv.osv):
        res = False
        grouparr  = group.split('.')
        if grouparr:
-            cr.execute("select * from res_groups_users_rel where uid=" + str(uid) + " and gid in(select res_id from ir_model_data where module='%s' and name='%s')" % (grouparr[0], grouparr[1]))
+            cr.execute("select * from res_groups_users_rel where uid=" + str(uid) + " and gid in(select res_id from ir_model_data where module=%s and name=%s)", (grouparr[0], grouparr[1],))
            r = cr.fetchall()   
            if not r:
                res = False
@ -186,30 +277,29 @@ class ir_model_access(osv.osv):
            res = False
        return res
    
+    def check_groups_by_id(self, cr, uid, group_id):
+        cr.execute("select * from res_groups_users_rel where uid=%i and gid=%i", (uid, group_id,))
+        r = cr.fetchall()    
+        if not r:
+            res = False
+        else:
+            res = True
+        return res
+    
    def check(self, cr, uid, model_name, mode='read',raise_exception=True):
-        assert mode in ['read','write','create','unlink'], 'Invalid access mode for security'
-        if uid == 1:
+        # Users root have all access (Todo: exclude xml-rpc requests)
+        if uid==1:
            return True
-
+        
+        assert mode in ['read','write','create','unlink'], 'Invalid access mode'
+        
+        # We check if a specific rule exists
        cr.execute('SELECT MAX(CASE WHEN perm_'+mode+' THEN 1 else 0 END) '
-            'FROM ir_model_access a '
-                'JOIN ir_model m '
-                    'ON (a.model_id=m.id) '
-                'JOIN res_groups_users_rel gu '
-                    'ON (gu.gid = a.group_id) '
-            'WHERE m.model = %s AND gu.uid = %s', (model_name, uid,))
+            'from ir_model_access a join ir_model m on (m.id=a.model_id) '
+                'join res_groups_users_rel gu on (gu.gid = a.group_id) '
+            'where m.model=%s and gu.uid=%s', (model_name, uid,))
        r = cr.fetchall()
-        if r[0][0] == None:
-            cr.execute('SELECT MAX(CASE WHEN perm_'+mode+' THEN 1 else 0 END) '
-                'FROM ir_model_access a '
-                    'JOIN ir_model m '
-                        'ON (a.model_id = m.id) '
-                'WHERE a.group_id IS NULL AND m.model = %s', (model_name,))
-            r= cr.fetchall()
-            if r[0][0] == None:
-                return True # Changed waiting final rules
-                #return False # by default, the user had no access
-
+        
        if not r[0][0]:
            if raise_exception:
                msgs = {
@ -218,14 +308,13 @@ class ir_model_access(osv.osv):
                        'create': _('You can not create this kind of document! (%s)'),
                        'unlink': _('You can not delete this document! (%s)'),
                        }
-                # due to the assert at the begin of the function, we will never have a KeyError
                raise except_orm(_('AccessError'), msgs[mode] % model_name )
        return r[0][0]

    check = tools.cache()(check)

    #
-    # Methods to clean the cache on the Check Method.
+    # Check rights on actions
    #
    def write(self, cr, uid, *args, **argv):
        res = super(ir_model_access, self).write(cr, uid, *args, **argv)
@ -239,6 +328,10 @@ class ir_model_access(osv.osv):
        res = super(ir_model_access, self).unlink(cr, uid, *args, **argv)
        self.check()
        return res
+    def read(self, cr, uid, *args, **argv):
+        res = super(ir_model_access, self).read(cr, uid, *args, **argv)
+        self.check()
+        return res
 ir_model_access()

 class ir_model_data(osv.osv):
@ -430,6 +523,38 @@ class ir_model_data(osv.osv):
        return True
 ir_model_data()

+class ir_model_config(osv.osv):
+    _name = 'ir.model.config'
+    _columns = {
+        'password': fields.char('Password', size=64),
+        'password_check': fields.char('confirmation', size=64),
+    }
+
+    def action_cancel(self, cr, uid, ids, context={}):
+        return {
+            'view_type': 'form',
+            "view_mode": 'form',
+            'res_model': 'ir.module.module.configuration.wizard',
+            'type': 'ir.actions.act_window',
+            'target':'new',
+        }
+    
+    def action_update_pw(self, cr, uid, ids, context={}):
+        res = self.read(cr,uid,ids)[0]
+        root = self.pool.get('res.users').browse(cr, uid, [1])[0]
+        self.unlink(cr, uid, [res['id']])
+        if res['password']!=res['password_check']:
+            raise except_orm(_('Error'), _("Password mismatch !"))
+        elif not res['password']:
+            raise except_orm(_('Error'), _("Password empty !"))
+        self.pool.get('res.users').write(cr, uid, [root.id], {'password':res['password']})
+        return {
+            'view_type': 'form',
+            "view_mode": 'form',
+            'res_model': 'ir.module.module.configuration.wizard',
+            'type': 'ir.actions.act_window',
+            'target':'new',
+        }
+ir_model_config()

 # vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
-
--- a/bin/addons/base/module/module_wizard.xml
+++ b/bin/addons/base/module/module_wizard.xml
@ -11,7 +11,7 @@
            <field name="name">Update Modules List</field>
            <field name="wiz_name">module.module.update</field>
        </record>
-        <menuitem action="wizard_update" groups="group_admin" icon="STOCK_CONVERT" id="menu_module_update" parent="menu_management" type="wizard"/>
+        <menuitem action="wizard_update" icon="STOCK_CONVERT" id="menu_module_update" parent="menu_management" type="wizard"/>
        
        <wizard id="wizard_upgrade" model="ir.module.module" name="module.upgrade" string="Apply Scheduled Upgrades"/>
        <menuitem action="wizard_upgrade" id="menu_wizard_upgrade" parent="menu_management" type="wizard"/>
--- a/bin/addons/base/res/country_view.xml
+++ b/bin/addons/base/res/country_view.xml
@ -38,7 +38,7 @@
        </record>
        
        <menuitem id="menu_localisation" name="Localisation" parent="menu_base_config"/>
-        <menuitem action="action_country" groups="group_admin" id="menu_country_partner" parent="menu_localisation"/>
+        <menuitem action="action_country" id="menu_country_partner" parent="menu_localisation"/>
        
        <!--
 		State
@ -78,7 +78,7 @@
            <field name="view_id" ref="view_country_state_tree"/>
        </record>
        
-        <menuitem action="action_country_state" groups="group_admin" id="menu_country_state_partner" parent="menu_localisation"/>
+        <menuitem action="action_country_state" id="menu_country_state_partner" parent="menu_localisation"/>
        
    </data>
 </terp>
--- a/bin/addons/base/res/partner/crm_view.xml
+++ b/bin/addons/base/res/partner/crm_view.xml
@ -19,7 +19,7 @@
            <field name="view_type">form</field>
            <field name="view_mode">tree,form</field>
        </record>
-        <menuitem id="next_id_14" name="Partner Events" parent="base.menu_base_config"/><menuitem action="res_partner_canal-act" groups="group_admin" id="menu_res_partner_canal-act" parent="next_id_14"/>
+        <menuitem id="next_id_14" name="Partner Events" parent="base.menu_base_config"/><menuitem action="res_partner_canal-act" id="menu_res_partner_canal-act" parent="next_id_14"/>
        
        <record id="res_partner_event_type-view" model="ir.ui.view">
            <field name="name">res.partner.event.type.form</field>
@ -53,7 +53,7 @@
            <field name="view_mode">tree,form</field>
            <field name="context">{'active_test': False}</field>
        </record>
-        <menuitem action="res_partner_event_type-act" groups="group_admin" id="menu_res_partner_event_type-act" parent="base.next_id_14"/>
+        <menuitem action="res_partner_event_type-act" id="menu_res_partner_event_type-act" parent="base.next_id_14"/>
        
        <record id="res_partner_som_tree-view" model="ir.ui.view">
            <field name="name">res.partner.som.tree</field>
@ -84,7 +84,7 @@
            <field name="view_type">form</field>
            <field name="view_mode">tree,form</field>
        </record>
-        <menuitem action="res_partner_som-act" groups="group_admin" id="menu_res_partner_som-act" parent="base.next_id_14"/>
+        <menuitem action="res_partner_som-act" id="menu_res_partner_som-act" parent="base.next_id_14"/>
        
        <record id="res_partner_event-wopartner-view_form" model="ir.ui.view">
            <field name="name">res.partner.event.form</field>
--- a/bin/addons/base/res/partner/partner_demo.xml
+++ b/bin/addons/base/res/partner/partner_demo.xml
@ -195,7 +195,7 @@
        <record id="res_partner_11" model="res.partner">
            <field name="name">Leclerc</field>
            <field eval="1200.00" name="credit_limit"/>
-            <field name="user_id" ref="user_admin"/>
+            <field name="user_id" ref="user_demo"/>
            <field eval="[(6, 0, [ref('res_partner_category_0')])]" name="category_id"/>
        </record>
        <record id="res_partner_14" model="res.partner">
@ -210,7 +210,7 @@
            <field name="ean13">3020178570171</field>
            <field name="parent_id" ref="res_partner_14"/>
            <field eval="1500.00" name="credit_limit"/>
-            <field name="user_id" ref="user_admin"/>
+            <field name="user_id" ref="user_demo"/>
            <field eval="[(6, 0, [ref('res_partner_category_11')])]" name="category_id"/>
        </record>
        
--- a/bin/addons/base/res/partner/partner_view.xml
+++ b/bin/addons/base/res/partner/partner_view.xml
@ -3,7 +3,7 @@
    <data>
        <menuitem icon="terp-partner" id="menu_base_partner" name="Partners" sequence="0"/>
        
-        <menuitem groups="group_admin" id="menu_base_config" name="Configuration" parent="menu_base_partner" sequence="1"/>
+        <menuitem id="menu_base_config" name="Configuration" parent="menu_base_partner" sequence="1"/>
        
        <!--
    ================================
@ -38,7 +38,7 @@
            <field name="res_model">res.partner.function</field>
            <field name="view_type">form</field>
        </record>
-        <menuitem action="action_partner_function_form" groups="group_admin" id="menu_partner_function_form" parent="base.menu_base_config"/>
+        <menuitem action="action_partner_function_form" id="menu_partner_function_form" parent="base.menu_base_config"/>
        
        <!--
    =====================
@ -173,7 +173,7 @@
            <field name="res_model">res.partner.title</field>
            <field name="view_type">form</field>
        </record>
-        <menuitem action="action_partner_title" groups="group_admin" id="menu_partner_title" parent="base.menu_base_config"/>
+        <menuitem action="action_partner_title" id="menu_partner_title" parent="base.menu_base_config"/>
        
        <!--
    =======================
--- a/bin/addons/base/res/res_security.xml
+++ b/bin/addons/base/res/res_security.xml
@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?><terp><data noupdate="1">
+    <record model="res.groups" id="group_account_manager">
+        <field name="name">Account Manager</field>
+    </record>
+
+    <record model="res.groups" id="group_partner_manager">
+        <field name="name">Partner Manager</field>
+    </record>
+</data></terp>
--- a/bin/addons/base/res/res_user.py
+++ b/bin/addons/base/res/res_user.py
@ -2,6 +2,7 @@
 ##############################################################################
 #
 # Copyright (c) 2004-2008 TINY SPRL. (http://tiny.be) All Rights Reserved.
+# Copyright (c) 2008 Camptocamp SA
 #
 # $Id$
 #
@ -29,6 +30,7 @@
 ##############################################################################

 from osv import fields,osv
+from osv.orm import except_orm
 import tools
 import pytz

@ -71,7 +73,8 @@ class roles(osv.osv):
    _columns = {
        'name': fields.char('Role Name', size=64, required=True),
        'parent_id': fields.many2one('res.roles', 'Parent', select=True),
-        'child_id': fields.one2many('res.roles', 'parent_id', 'Childs')
+        'child_id': fields.one2many('res.roles', 'parent_id', 'Childs'),
+        'users': fields.many2many('res.users', 'res_roles_users_rel', 'rid', 'uid', 'Users'),
    }
    _defaults = {
    }
@ -108,6 +111,7 @@ class users(osv.osv):
        'menu_id': fields.many2one('ir.actions.actions', 'Menu Action'),
        'groups_id': fields.many2many('res.groups', 'res_groups_users_rel', 'uid', 'gid', 'Groups'),
        'roles_id': fields.many2many('res.roles', 'res_roles_users_rel', 'uid', 'rid', 'Roles'),
+        'rules_id': fields.many2many('ir.rule.group', 'user_rule_group_rel', 'user_id', 'rule_group_id', 'Rules'),
        'company_id': fields.many2one('res.company', 'Company'),
        'context_lang': fields.selection(_lang_get, 'Language', required=True),
        'context_tz': fields.selection(_tz_get,  'Timezone', size=64)
@ -164,7 +168,7 @@ class users(osv.osv):

    def unlink(self, cr, uid, ids):
        if 1 in ids:
-            raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the root user as it is used internally for resources created by Tiny ERP (updates, module installation, ...)'))
+            raise osv.except_osv(_('Can not remove root user!'), _('You can not remove the admin user as it is used internally for resources created by OpenERP (updates, module installation, ...)'))
        return super(users, self).unlink(cr, uid, ids)

    def name_search(self, cr, user, name='', args=None, operator='ilike', context=None, limit=80):
@ -225,7 +229,7 @@ class users(osv.osv):
               }
 users()

-class groups2(osv.osv):
+class groups2(osv.osv): ##FIXME: Is there a reason to inherit this object ?
    _inherit = 'res.groups'
    _columns = {
        'users': fields.many2many('res.users', 'res_groups_users_rel', 'gid', 'uid', 'Users'),
@ -271,8 +275,3 @@ class res_config_view(osv.osv_memory):
            }

 res_config_view()
-
-
-
-# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:
-